Compliance is surging, risk is not dropping accordingly. The gap? Europe regulates outcomes and process well (incidents, reporting, assurance, lifecycle), but does not standardize causes—the initial threats that open the door. TLCTC fills that gap with a simple, universal, cause-oriented threat taxonomy (10 clusters), an attack-path notation with temporal analysis (Δt), and domain boundary operators that make reporting, prioritization, and controls consistent across sectors.
Thesis
The EU's flagship cyber regulations (NIS2, the Cybersecurity Act, and the Cyber Resilience Act) will under-deliver on actual cyber risk reduction because they lack a shared, cause-based understanding and categorization of cyber threats. They would materially benefit from adopting the Top Level Cyber Threat Clusters (TLCTC) as a unifying taxonomy.
Why This Matters Now
Across the EU, NIS2 broadens who must manage cyber risk and how to report it. The Cybersecurity Act enables EU-wide certification schemes. The new Cyber Resilience Act (CRA) forces manufacturers to build and maintain secure products and report severe incidents and actively exploited vulnerabilities. These are big wins for governance and accountability.
But boards, regulators, CSIRTs, and vendors still struggle to speak the same threat language. Reports arrive framed as effects ("ransomware outage", "data breach"), not as causes (the initial abuse path). Without a shared threat vocabulary, three problems persist:
- Inconsistent reporting & metrics – Two identical attacks get classified differently by sector/authority. Apples-to-oranges data cripples EU-level situational awareness.
- Misaligned controls – Controls are selected for symptoms ("stop ransomware") instead of the initial threats (e.g., #9 Social Engineering or #4 Identity Theft), wasting budget.
- Fragmented supply-chain risk – CRA and NIS2 demand supplier assurance, yet buyers and vendors lack a common threat model to contract against.
Reframing EU Cyber Through TLCTC
Within the TLCTC framework, every compromise begins when an attacker exploits a generic vulnerability via one of ten Top Level Cyber Threat Clusters. We treat threats as causes (not effects), and we track multi-stage attacks with a compact attack-path notation that now includes temporal analysis and domain boundaries.
The 10 TLCTC Clusters (Strategic Layer)
| # | Cluster | Generic Vulnerability |
|---|---|---|
| 1 | Abuse of Functions | Misuse of legitimate feature/logic/configuration |
| 2 | Exploiting Server | Flaws in server-side code implementation |
| 3 | Exploiting Client | Flaws in client-side code implementation |
| 4 | Identity Theft | Illegitimate USE of credentials/tokens/keys to impersonate |
| 5 | Man-in-the-Middle | Attacker abuses position on communication path |
| 6 | Flooding Attack | Capacity exhaustion (network, API, CPU, quotas) |
| 7 | Malware | Execution of foreign code/scripts/LOLBAS |
| 8 | Physical Attack | Unauthorized physical interaction/interference |
| 9 | Social Engineering | Human psychological manipulation |
| 10 | Supply Chain Attack | Compromise via trusted third-party components/services |
Axioms that matter for regulators:
- Threats are causes (not events like "data breach")
- Credentials are system control elements (not just data)
- Every attack path is a sequence of these clusters
- The model is generic (works for OT/IT/IoT alike)
- Credential acquisition maps to the enabling cluster (#9, #5, #7, etc.); credential use always maps to #4
Attack-Path Notation (Operational Layer)
Basic Notation
We describe an attack end-to-end as a sequence of clusters:
#9 → #7 → #4 → (#1 + #7)This represents:
- #9 Social Engineering – Phishing gets user to run macro
- #7 Malware – Loader/beacon executes
- #4 Identity Theft – Token theft or credential replay (USE of stolen credentials)
- #1 + #7 – Abuse of Functions (admin tools) + Malware (encryptor) in parallel
V2.0 Enhancement: Attack Velocity (Δt)
TLCTC V2.0 introduces temporal notation to capture how fast attacks progress:
#9 →[Δt=2h] #7 →[Δt=5m] #4 →[Δt=instant] (#1 + #7)This tells regulators:
- 2 hours from phishing to malware execution
- 5 minutes from malware to credential theft
- Instant transition to encryption
Why this matters: Two attacks with identical cluster sequences but different velocities require completely different defenses:
- Slow/Latent (days-weeks): Threat hunting, behavioral analytics, log retention
- Fast/Realtime (seconds-minutes): Automated containment, SOAR, AI-driven blocking
V2.0 Enhancement: Domain Boundary Operators
For supply chain and cross-domain attacks, use the || operator to mark trust transitions:
#2 →[Δt=2d] #7 →[Δt=3w] #4 →[Δt=1d] #1 ||[dev][@Vendor→@Org]|| →[Δt=0s] #7Translation: Attacker exploited server (#2) at vendor, deployed malware (#7), stole credentials (#4), abused build pipeline (#1), then the compromised update crossed the trust boundary from @Vendor to @Org via development channel, instantly executing malware (#7) in your environment.
This notation cleanly separates cause from effect, is compact enough for incident forms and dashboards, and explicitly shows where responsibility shifts.
The Bridge Cluster Problem: Why Technical Controls Alone Fail
Three clusters—#8 Physical Attack, #9 Social Engineering, and #10 Supply Chain—are fundamentally different from the others. They are bridge clusters that cross domain boundaries, moving attacks from one responsibility sphere to another where different control regimes apply.
The Critical Insight
Bridge clusters don't defeat your controls—they move the attack to a domain where those controls don't apply.
| Type | Clusters | Characteristic |
|---|---|---|
| Bridge | #8, #9, #10 | Cross domain boundaries (physical→cyber, human→cyber, vendor→org) |
| Internal | #1 - #7 | Operate within single domain's trust model |
Implication for EU Regulation
EU regulation should require that entities report which domain boundary was crossed in incidents, not just "we were phished." This enables cross-sector analysis of whether technical controls or human/physical/supply-chain controls need investment.
Recommended reporting field:
Domain Transition: [human]→[cyber] | [physical]→[cyber] | [@Vendor]→[@Org] | NoneWhere EU Law is Strong—and Where It's Silent
Strong
- Clear incident stages & deadlines
- Risk-management baselines
- Coordinated vulnerability disclosure
- CRA-driven secure product lifecycle
Silent (or inconsistent)
- No mandated cause-based threat taxonomy
- Incident templates mix actor, vector, and effect
- No temporal analysis requirements
- No domain boundary tracking
Bottom line: EU law sets the process (who, when, how) but not the language of causes (what, exactly, happened at the start) or the physics of attacks (how fast, across which boundaries).
How TLCTC Plugs In—Without Changing the Law
Think of TLCTC as the Rosetta Stone that sits underneath existing requirements:
NIS2 Reporting
Standardize the "type of threat or root cause" field with TLCTC. Every notification carries:
- Attack path with velocity:
#9 →[Δt=2h] #7 →[Δt=5m] #4 →[Δt=instant] (#1+#7) - Domain transition:
[human]→[cyber] - Initial cluster:
#9 - Aggregate insight: "38% of significant incidents begin with #9 Social Engineering this quarter, with median velocity to impact of 4.2 hours."
Cybersecurity Act (Certification)
Map certification controls to clusters (10×5 matrix vs. NIST CSF functions) so schemes prove coverage against causes, not just generic capability:
| Cluster | IDENTIFY | PROTECT | DETECT | RESPOND | RECOVER |
|---|---|---|---|---|---|
| #1 Abuse of Functions | Logic review | Least privilege | Behavior analytics | Playbook | Config restore |
| #2 Exploiting Server | SAST/DAST | Patching, WAF | IDS/IPS | Containment | Rebuild |
Example: Same Incident, Clearer Insight
Before (Effect-Oriented)
"We suffered ransomware from a phishing email."
Problems:
- No causal analysis
- No velocity information
- No domain boundary information
- Cannot compare across organizations
After (Cause-Oriented)
Path: #9 →[Δt=2h] #7 →[Δt=14d] #4 →[Δt=3h] (#1 + #7)
Metrics:
- Domain Transition: [human]→[cyber]
- Initial Cluster: #9 Social Engineering
- Velocity Class: Medium → Latent → Fast
Board-Level Metric: Detection Coverage Score (DCS)
How do you tell the Board if you are secure? "We stopped 100 viruses" is a vanity metric. The Detection Coverage Score (DCS) is a strategic KPI derived from Attack Velocity:
- DCS < 1.0: You detect faster than the adversary moves (winning)
- DCS > 1.0: The adversary completes the step before you detect it (losing)
What Would Change on Day 1 of TLCTC Adoption
- Incident forms gain required fields: Attack Path, Initial Cluster, Domain Transition, Velocity Class.
- Dashboards show start-of-attack distributions and velocity trends.
- Supplier due diligence uses a short TLCTC questionnaire.
- Board risk reports track DCS scores by critical attack paths.
Quick Reference: TLCTC Clusters with Control Intent
| Cluster | Control Intent |
|---|---|
| #1 Abuse | Harden business logic, constrain scope, least privilege, change approval |
| #2 Server | Secure SDLC, SAST/DAST, memory-safe patterns, patch SLAs, WAF |
| #3 Client | Browser isolation, rapid patching, client hardening, sandbox untrusted content |
| #4 ID Theft | Phishing-resistant MFA (FIDO2), key management, PAM, device-bound tokens |
| #5 MitM | Strong TLS, certificate pinning, secure routing, DNSSEC, mTLS |
| #6 Flood | Capacity planning, rate limiting, scrubbing services, auto-scale |
| #7 Malware | Application allow-listing, EDR, egress controls, script policies |
| #8 Physical | Tamper protection, secure facilities, media control, port security |
| #9 Social | Training, simulation, protected workflows, multi-person approvals |
| #10 Supply | Supplier assurance, code signing, update verification, SBOM |
Objections & Answers
"Isn't 'ransomware' already a category?"
No—ransomware is an effect. TLCTC insists on causes. The same ransomware family might arrive via #9→#7 (phishing) or #10→#7 (supply chain)—these require completely different controls.
"Won't this create reporting burden?"
Minimal. One short line per incident. The payoff in analytics and targeted guidance is substantial.
Call to Action
For Regulators: Add TLCTC to templates. Publish cluster stats. Track velocity trends.
For Entities: Procure by cluster. Train leadership on DCS. Tag incidents with TLCTC clusters.
For CRA Manufacturers: Map CVEs to clusters. Document supply chain boundaries.
Notes & References
This article discusses the EU's NIS2 Directive, the Cybersecurity Act, and the Cyber Resilience Act. It proposes TLCTC v1.9.1 with V2.0 concepts (Attack Velocity Δt, Domain Boundaries ||, Bridge/Internal cluster distinction).
Added Attack Velocity (Δt), Domain Boundaries (||), Bridge Cluster visualization, and Detection Coverage Score (DCS). Updated control table with credential handling clarification.